Merge branch 'main' into cloud-printing-overview

Author: mnorman-ms

.github/pull_request_template.md

@@ -1,17 +1,21 @@
-**Instructions:** _Add any supporting information, such as a description of the PR changes, here._
-
-
+> [!IMPORTANT]
+> Required for API changes:
+> - Link to API.md file: *ADD LINK HERE*
+> - Link to **PR** for public-facing schema changes (schema-Prod-beta/v1.0.csdl):  *ADD LINK HERE*
 
+---
+Add other supporting information, such as a description of the PR changes:
 
+*ADD INFORMATION HERE*
 
 ---
-> [!NOTE]
+> [!IMPORTANT]
 > The following guidance is for Microsoft employees only. Community contributors can ignore this message; our content team will manage the status.
 <details><summary><i>After you've created your PR</i>, expand this section for tips and additional instructions.</summary>
 
 
 - **do not merge** is the default PR status and is automatically added to all open PRs that don't have the **ready to merge** label.
-- Add the **ready for content review** label to start a review. Your PR won't be reviewed until you add this label.
+- Add the **ready for content review** label to start a review. Only PRs that have met the [minimum requirements for content review](https://dev.azure.com/msazure/One/_wiki/wikis/Microsoft%20Graph%20Partners/707655/Minimum-requirements-for-content-review) and have this label are reviewed.
 - If your content reviewer requests changes, review the feedback and address accordingly as soon as possible to keep your pull request moving forward. After you address the feedback, remove the **changes requested** label, add the **review feedback addressed** label, and select the **Re-request review** icon next to the content reviewer's alias. If you can't add labels, add a comment with `#feedback-addressed` to the pull request.
 - After the content review is complete, your reviewer will add the **content review complete** label. When the updates in this PR are ready for external customers to use, replace the **do not merge** label with **ready to merge** and the PR will be merged within 24 working hours.
 - Pull requests that are inactive for more than 6 weeks will be automatically closed. Before that, you receive reminders at 2 weeks, 4 weeks, and 6 weeks. If you still need the PR, you can reopen or recreate the request.

api-reference/beta/api/accesspackage-delete-accesspackageresourcerolescopes.md

@@ -1,6 +1,6 @@
 ---
 title: "Remove resourceRoleScope from an access package"
-description: "Remove a resourceRoleScope from an access package."
+description: "Remove an accessPackageResourceRoleScope from an accessPackage list of resource role scopes."
 ms.localizationpriority: medium
 author: "markwahl-msft"
 ms.subservice: "entra-id-governance"
@@ -13,7 +13,7 @@ Namespace: microsoft.graph
 
 [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
 
-Remove a [accessPackageResourceRoleScope](../resources/accesspackageresourcerolescope.md) from an [accessPackage](../resources/accesspackage.md) list of resource role scopes.
+Remove an [accessPackageResourceRoleScope](../resources/accesspackageresourcerolescope.md) from an [accessPackage](../resources/accesspackage.md) list of resource role scopes.
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 

api-reference/beta/api/accesspackage-filterbycurrentuser.md

@@ -12,6 +12,10 @@ Namespace: microsoft.graph
 
 [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
 
+> [!CAUTION]
+> The **filterByCurrentUser** function is on a deprecation path and exists only to support current customers. We don't recommend using this function.
+
+
 In [Microsoft Entra Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackage](../resources/accesspackage.md) objects filtered on the signed-in user.
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]

api-reference/beta/api/adminconsentrequestpolicy-get.md

@@ -22,10 +22,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "adminconsentrequestpolicy_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/adminconsentrequestpolicy-get-permissions.md)]
 
-When calling on behalf of a user, the user needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-+ Global Reader
-+ Cloud Application Administrator
-+ Application Administrator
+[!INCLUDE [rbac-adminconsentrequestpolicy-apis-read](../includes/rbac-for-apis/rbac-adminconsentrequestpolicy-apis-read.md)]
 
 ## HTTP request
 

api-reference/beta/api/adminconsentrequestpolicy-update.md

@@ -20,7 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "adminconsentrequestpolicy_update" } -->
 [!INCLUDE [permissions-table](../includes/permissions/adminconsentrequestpolicy-update-permissions.md)]
 
-For delegated scenarios, the calling user needs to belong to at least the *Application Administrator* or *Cloud Application Administrator* [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).
+[!INCLUDE [rbac-adminconsentrequestpolicy-apis-update](../includes/rbac-for-apis/rbac-adminconsentrequestpolicy-apis-update.md)]
 
 ## HTTP request
 

api-reference/beta/api/administrativeunit-delta.md

@@ -13,7 +13,7 @@ Namespace: microsoft.graph
 
 [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
 
-Get newly created, updated, or deleted **administrativeUnits** without having to perform a full read of the entire resource collection. For details, see [Using delta query](/graph/delta-query-overview).
+Get newly created, updated, or deleted **administrativeUnits** without having to perform a full read of the entire resource collection. For more information, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview) for details.
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 
@@ -25,6 +25,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "administrativeunit_delta" } -->
 [!INCLUDE [permissions-table](../includes/permissions/administrativeunit-delta-permissions.md)]
 
+[!INCLUDE [rbac-admin-units-apis-read](../includes/rbac-for-apis/rbac-admin-units-apis-read.md)]
+
 ## HTTP request
 
 To begin tracking changes, you make a request that includes the delta function on the **administrativeUnit** resource.
@@ -44,7 +46,7 @@ You only need to specify any query parameters once up front.
 In subsequent requests, copy and apply the `@odata.nextLink` or `@odata.deltaLink` URL from the previous response. That URL already
 includes the encoded parameters.
 
-| Query parameter	   | Type	|Description|
+| Query parameter       | Type    |Description|
 |:---------------|:--------|:----------|
 | $deltatoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.deltaLink` URL of the previous **delta** function call for the same resource collection, indicating the completion of that round of change tracking. Save and apply the entire `@odata.deltaLink` URL including this token in the first request of the next round of change tracking for that collection.|
 | $skiptoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.nextLink` URL of the previous **delta** function call, indicating there are further changes to be tracked in the same resource collection. |

api-reference/beta/api/administrativeunit-get-members.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "administrativeunit_get_members" } -->
 [!INCLUDE [permissions-table](../includes/permissions/administrativeunit-get-members-permissions.md)]
 
+[!INCLUDE [rbac-admin-units-apis-read](../includes/rbac-for-apis/rbac-admin-units-apis-read.md)]
+
 ## HTTP request
 
 ```http

api-reference/beta/api/administrativeunit-get-scopedrolemembers.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "administrativeunit_get_scopedrolemembers" } -->
 [!INCLUDE [permissions-table](../includes/permissions/administrativeunit-get-scopedrolemembers-permissions.md)]
 
+[!INCLUDE [rbac-admin-units-apis-read](../includes/rbac-for-apis/rbac-admin-units-apis-read.md)]
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/api/administrativeunit-list-scopedrolemembers.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "administrativeunit_list_scopedrolemembers" } -->
 [!INCLUDE [permissions-table](../includes/permissions/administrativeunit-list-scopedrolemembers-permissions.md)]
 
+[!INCLUDE [rbac-admin-units-apis-read](../includes/rbac-for-apis/rbac-admin-units-apis-read.md)]
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/api/administrativeunit-post-members.md

@@ -30,7 +30,7 @@ One of the following permissions is required to call this API. To learn more, in
 |Delegated (personal Microsoft account) | Not supported.    |
 |Application | AdministrativeUnit.ReadWrite.All |
 
-To add a user, group, or device to an administrative unit, the calling user must be assigned the *Privileged Role Administrator* [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).
+[!INCLUDE [rbac-admin-units-apis-write](../includes/rbac-for-apis/rbac-admin-units-apis-write.md)]
 
 ### Permissions to create a new group
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
@@ -40,12 +40,12 @@ To add a user, group, or device to an administrative unit, the calling user must
 |Delegated (personal Microsoft account) | Not supported.    |
 |Application | Group.Create and AdministrativeUnit.Read.All, Group.ReadWrite.All and AdministrativeUnit.Read.All, Directory.ReadWrite.All |
 
-To create a new group in an administrative unit, the calling principal must be assigned at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) at the scope of the administrative unit:
-
-* Groups Administrator
-* User Administrator
-
-When these roles are assigned to a service principal, additional permissions are required to read the directory, such as assignment to the Directory Readers role, or having Microsoft Graph application permissions, such as Directory.Read.All.
+> [!IMPORTANT]
+> To create a new group in an administrative unit, the calling principal must be assigned at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) at the scope of the administrative unit:
+> - Groups Administrator
+> - User Administrator
+>
+> For app-only scenarios - apart from these roles, the service principal requires additional permissions to read the directory. These permissions can be granted via assignment of supported Microsoft Entra roles, such the Directory Readers role; or they can be granted via Microsoft Graph application permissions that allow reading the directory, such as *Directory.Read.All*.
 
 ## HTTP request